主题：【注意】关于西西河断线5-6小时的简要说明，及其他，请各位关注 -- 铁手

Did they provide details? I remember you set proc/thread limit = 500 on apache. Hard to believe on only 500 procs would take down all procs. For DOS, it will be idling connection, which should not take out DNS normally. Might be somethin I don't know.

1. ask for a separate DNS server. cchere already host several websites. Having DNS on same machine will be too easy for DOS. DNS server is normally shared, so it should be free.

2. If this is really DDOS, you have very little choice w/o the help from their isp. Right now it does not appear to be that bad. If it gets worse, you would have to choose b/w blocking innocent people vs. not serving the majority -- people who wants to come can still use proxy to access cchere.

You would want to do IP filtering as early as possible, ideally on the incoming firewall. Host.deny is a little late. Those firewall/router hardware supports off-the-wire classification. This means server does not even see the incoming connection request.